Brief #119: First AI Ransomware Discovered, Docker Desktop CVE, CrowdStrike $290M Buy

Happy Sunday!

The disconnect between what executives think AI is doing for their security teams versus what analysts actually experience on the ground is becoming impossible to ignore - and it's a conversation every security leader needs to have this week.

In this week's brief:

• ESET discovered the first AI-powered ransomware that writes its own malicious code using publicly available AI models
• A major study reveals 71% of executives believe AI significantly improves security productivity, but only 22% of the analysts using these tools daily actually agree
• The cybersecurity job market continues tightening as companies cut training programs and expect new hires to already have enterprise experience

Industry News

First Known AI-Powered Ransomware Uncovered By ESET Research

• ESET researchers discovered "PromptLock" - the first known AI-powered ransomware that uses the gpt-oss-20b model via Ollama API to generate malicious Lua scripts on the fly for data exfiltration and encryption.

• The malware is written in Golang with both Windows and Linux variants identified, though it appears to be a proof-of-concept rather than having been deployed in actual attacks.

• This discovery demonstrates how publicly-available AI tools could dramatically lower the barrier for attackers to create sophisticated ransomware that can adapt to environments at unprecedented speed and scale.

Docker Desktop Vulnerability Allows Container Escape (CVE-2025-9074)

• A critical vulnerability in Docker Desktop for Windows and MacOS exposes the Docker Engine socket without authentication, allowing attackers to break container isolation and potentially access the host filesystem.

• On Windows, attackers can mount the entire filesystem with administrator privileges, read sensitive files, and even escalate to system administrator by overwriting DLLs, while MacOS impact is limited by additional security layers.

• The issue is fixed in Docker Desktop version 4.44.3 - Linux users are not affected as they use named pipes instead of TCP sockets for the Docker Engine API.

Storm-0501 Shifts To Cloud-Based Ransomware Tactics

• Financially motivated threat actor Storm-0501 has evolved from deploying traditional on-premises ransomware to using cloud-based tactics that leverage exfiltration of large data volumes and destruction of data/backups without malware deployment.

• The attack chain begins with on-premises Active Directory compromise, then pivots to Microsoft Entra ID through compromised Directory Synchronization Accounts, eventually elevating to Global Administrator privileges to access and control Azure resources.

• After gaining control, the actor deletes or encrypts critical storage accounts and disables protections like resource locks and immutability policies, then demands ransom through Microsoft Teams using compromised accounts.

Leadership Insights

CSA Survey Reveals Growing SaaS Security Priorities Amid Persistent Challenges

• The 2025 Cloud Security Alliance report shows 86% of organizations now consider SaaS security a high priority, with 76% increasing budgets and deploying solutions focused on threat detection (50%) and posture management (47%).

• Critical security gaps remain despite confidence, with 63% reporting external data oversharing, 56% experiencing unauthorized sensitive data uploads, and 57% struggling with fragmented administration across decentralized SaaS deployments.

• Identity management challenges persist as 58% struggle to enforce proper privileges, 46% cannot effectively monitor non-human identities, and many organizations rely on inadequate combinations of vendor-native tools (69%), CASBs (43%), and manual audits (46%).

CISO Panel Discusses Business-Aligned Security Strategies

• A panel of CISOs is hosting an AMA on Reddit focused on making business care about cybersecurity, running from August 25-30, 2025, featuring leaders from organizations like AuditBoard, PSG Equity, and Hydrolix.

• Responding to questions, AuditBoard CISO Richard Marcus advises against using fear tactics, recommending instead that security professionals align investments with top-level business objectives like market expansion, revenue growth, or new technology initiatives.

• The discussion highlights how implementing appropriate security measures can enable organizations to bid for high-dollar contracts and meet compliance requirements that would otherwise limit business opportunities.

CISO Survey Reveals AI Integration and Evolving Cybersecurity Priorities for 2025

• Data breaches involving customer and internal data remain top concerns (84%), with ransomware attacks (83%) and third-party supplier breaches (80%) significantly increasing in importance since 2024, showing regional differences between US and UK security priorities.

• Security infrastructure oversight has become the top resource priority (44%), but CISOs recognize a mismatch between current investments and where resources should go – with 62% believing more focus should be on security operations rather than just technological solutions.

• Organizational AI adoption is growing significantly, especially in the UK where customer service AI implementation jumped from 19% to 34%, creating new opportunities for defense capabilities while simultaneously introducing vulnerabilities through "shadow AI" usage.

Career Development

Cybersecurity Industry Facing Decline In On-The-Job Training Opportunities

• Industry professionals note that companies increasingly expect candidates to "hit the ground running" with little to no training, preferring to hire those who have self-studied or already possess enterprise experience rather than investing in developing new talent.

• The rapidly evolving cybersecurity landscape requires understanding of specific regulatory frameworks (HIPAA, SOC1, SOX, RMF, NIST) across different sectors, making it difficult for newcomers without industry-specific experience to break into the field.

• The competitive applicant pool, flooded by graduates from accelerated degree programs and certification holders with no practical experience, has made it more cost-effective for employers to hire experienced professionals rather than train entry-level candidates.

Cybersecurity Professional Starting Salaries Vary Widely, Show Market Challenges

• Reddit discussion reveals significant salary disparities for entry-level cybersecurity positions, ranging from £26k (~$33k) in the UK to $65k for help desk roles on the US West Coast, highlighting geographic and economic differences in the field.

• Many professionals report difficulty finding jobs despite credentials—one user with a Bachelor's degree, Security+ and Network+ certifications applied to 300 positions before settling for a help desk role after a year of searching.

• Multiple responses caution against relying on bootcamps alone, suggesting that cybersecurity degrees often lack sufficient practical skills, with several professionals recommending help desk experience and meaningful networking connections as crucial entry points into the industry.

SOC Teams Face Widespread Burnout With Limited HR Intervention

• Cybersecurity professionals consistently experience burnout from alert fatigue, 24/7 on-call responsibilities, and constant incident pressure, often going unnoticed until resignations occur.

• Community consensus indicates addressing SOC team stress is primarily the responsibility of direct managers rather than HR, with several commenters noting HR's primary function is protecting the company, not employee wellbeing.

• Individual resilience strategies like taking unplugged vacations and using annual leave are recommended, as organizational changes to reduce burnout are often difficult to implement.

AI & Security

State of the SOC 2025: AI Transforming Cybersecurity Operations

• AI is revolutionizing SOC capabilities, with 70% of incident investigations now fully automated, enabling a 153x increase in threat hunting activities and reducing response time from hours to seconds.

• Threat origin data shows 56% of detections coming from endpoints while 44% originate from cloud environments, with 95% of proactive response actions involving password resets and account disablements.

• Despite technological advances, human expertise remains critical – 86% of alerts require validation and 1 in 10 cases still need MDR team intervention, highlighting that AI augments rather than replaces security analysts.

Significant Perception Gap Revealed Between Executives And Analysts On AI's Cybersecurity Impact

• While 71% of executives believe AI has significantly improved security team productivity, only 22% of analysts who work with these tools daily agree, highlighting a critical disconnect between strategic vision and operational reality.

• Over half of surveyed organizations have already restructured their security teams in response to AI adoption, not to reduce headcount but to create new roles focused on automation oversight, AI governance, and faster decision-making.

• The most tangible value of AI in cybersecurity today is in threat detection, investigation, and response (TDIR), though trust in AI autonomy remains low among analysts with only 10% willing to let AI act independently versus 38% of executives.

Threat Actor Uses Claude Code to Execute "Vibe Hacking" Data Extortion Campaign

• Cybercriminal group GTG-2002 leveraged Anthropic's Claude Code to automate and scale a multisector data extortion operation, targeting at least 17 organizations across government, healthcare, emergency services, and religious institutions in just one month.

• This new evolution in AI-assisted cybercrime, termed "vibe hacking," demonstrates how threat actors are using AI coding agents as both technical consultants and active operators to execute sophisticated attacks that would normally require more time and resources.

• The threat actor provided Claude Code with their preferred operational TTPs in a CLAUDE.md file, enabling AI assistance throughout the entire attack lifecycle including reconnaissance, exploitation, lateral movement, and data exfiltration.

Market Updates

Okta Acquires Israeli Cloud Security Startup Axiom For $100 Million

• Okta has acquired Axiom, an Israeli company specializing in cloud-focused permissions and access management software for enterprise clients, strengthening Okta's identity management portfolio.

• This acquisition represents Okta's second Israeli purchase in eight months, following the Spera acquisition in December 2023, demonstrating strategic expansion in Israel's cybersecurity ecosystem.

• Axiom's team will join Okta's Israel-based development center, with the startup having raised only $10 million since its 2021 founding, indicating a substantial 10x return on investment through this acquisition.

CrowdStrike Acquires Onum For $290 Million To Enhance AI Security Capabilities

• CrowdStrike has acquired data observability startup Onum for approximately $290 million, with CEO George Kurtz emphasizing the importance of real-time pipeline detection in analyzing and detecting threats as data is ingested.

• The Madrid-based startup enhances CrowdStrike's vision for an "AI-native SOC" and aligns with their goal to secure every AI agent – which Kurtz describes as having superhuman capabilities with access to data, identity, workflows, and external systems.

• Kurtz warns that generative AI is "democratizing destruction" by making sophisticated cybersecurity expertise available to more potential attackers, significantly compressing the timeframe defenders have to respond to threats.

Netskope Files for IPO on Nasdaq Amid Cybersecurity Deal Surge

• Cloud security platform Netskope will trade under ticker symbol "NTSK" with $707 million in annual recurring revenue, up 33%, though the company still posted a $170 million net loss in the first half of 2025.

• The IPO joins a resurgent market that has seen successful debuts from companies like Figma, Circle, and eToro, coming during a period of significant consolidation in the cybersecurity sector that includes Google's $32 billion Wiz acquisition.

• Founded in 2012, Netskope faces competition from major vendors including Palo Alto Networks, Cisco, Zscaler, Broadcom and Fortinet, with top backers including Accel, Lightspeed Ventures and Iconiq.

Tools

Bitdefender GravityZone

GravityZone is a unified endpoint security and analytics platform that provides risk assessment, threat prevention, and incident response capabilities.

Cyber Cure free intelligence feeds

Intelligence feeds for cybersecurity professionals to stay informed about emerging threats and trends.

Aqua

Aqua Security is a CNAPP that provides comprehensive security for cloud native applications across their entire lifecycle, from development to production, in various cloud and container environments.

If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!

P.S. I am working with select B2B companies on the exact challenges covered above. Calendar link here if you'd like to chat.

Talk to you in the next one.

Best,

Nikoloz